Releases: cloudfoundry/routing-release
Releases · cloudfoundry/routing-release
0.343.0
0.343.0
Release Date: August 07, 2025
Changes
- Dependency Bumps
- Bumped to Golang 1.24.5
- Changed some redundant log messages to Debug. Thanks @hoffmaen!
- Added support to routing-api, tcp-router to allow route-registrar based TCP routes to request frontend TLS termination by tcp-router, using ALPNS to host multiple services behind a single TLS port, to reducing the number of TCP Routes needed for backend services. Thanks @AshishNaware @neowulf !
Bosh Job Spec changes:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index c39eac917..f575e1006 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -104,7 +104,7 @@ properties:
type (optional, string, for all routes): Defaults to http, can specify http, sni, or tcp.
uris (required, array, for http routes): When Gorouter receives a request that matches one of these URIs,
it will forward them to the IP of the host on which route_registrar runs, and either port or tls_port.
- sni_port (required, integer, for sni rotues): When sni type provided, this is the downstream port to route to
+ sni_port (required, integer, for sni routes): When sni type provided, this is the downstream port to route to
port (required, integer, for all routes): Either `port` or `tls_port` are required; if both are provided, Gorouter will prefer tls_port.
Requests for associated URIs will be forwarded unencypted by the router to this port.
The IP is determined automatically from the host on which route-registrar is run.
@@ -128,6 +128,8 @@ properties:
external_port (required, string, for tcp routes): Port that the TCP router will listen on.
server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames.
options (optional, object, for http routes): Custom per-route options
+ terminate_frontend_tls (optional, boolean): When true, the router will terminate TLS before forwarding requests to the backend. Default: false
+ alpns (optional, array): Application Layer Protocol Negotiation strings.
health_check object
name (required, string): Human-readable reference for the healthcheck
@@ -161,6 +163,10 @@ properties:
script_path: /path/to/script
timeout: 5s
route_service_url: https://my-oauth-proxy-route-service.example.com
+ terminate_frontend_tls: true
+ alpns:
+ - h2
+ - http/1.1
options:
loadbalancing: least-connection
- name: my-tls-endpoint
diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index 234e3db92..7d1df979f 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -59,6 +59,21 @@ properties:
be set. For mTLS also set tcp_router.backend_tls.client_cert and
tcp_router.backend_tls.client_key.
default: false
+ tcp_router.frontend_tls_pem.certificate_path:
+ description: Path to the certs and key store
+ tcp_router.frontend_tls:
+ description: "Array of private keys, certificates and names for serving TLS requests. Each element in the array is an object containing fields 'private_key' and 'cert_chain', each of which supports a PEM block."
+ example: |
+ - cert_chain: |
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ -----END CERTIFICATE-----
+ private_key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ -----END RSA PRIVATE KEY-----
+ name: |
+ name of the cert
tcp_router.backend_tls.client_cert:
description: "TCP Router's TLS client cert used for mTLS with route backends"
tcp_router.backend_tls.client_key:
✨ Built with go 1.24.6
Full Changelog: v0.342.0...v0.343.0
Resources
Contributors
neowulf, AshishNaware, and hoffmaen
Assets 3
0.342.0
0.342.0
Release Date: July 07, 2025
Changes
- Bump blob
jqfrom 1.8.0 to 1.8.1 - Bump go package
tlsconfigfrom v0.29.0 to v0.30.0 - Bump go package
github.com/cloudfoundry/cf-test-helpers/v2from v2.12.0to v2.13.0 - Bump go package
github.com/nats-io/nats-server/v2from v2.11.4 to v2.11.5 - Bump go package
code.cloudfoundry.org/bbsfromv0.0.0-20250414163106-a163a3b524d2tov0.0.0-20250627143703-e88b3ec8cd1e - Bump go package
github.com/prometheus/commonfrom v0.64.0 to v0.65.0
✨ Built with go 1.24.4
Full Changelog: v0.341.0...v0.342.0
Resources
0.341.0
0.341.0
Release Date: June 24, 2025
Changes
- Added the ability for operators to completely override the BBR metadata to control what restores block on.
⚠️ Removed the deprecated router.max_header_kb property. Please use router.max_request_header_kb. Thanks @kart2bc !⚠️ Removed the ability for operators to configure logging timestamps. Only RFC3339 is permitted now. Thanks @kart2bc !- Bumped to a newer version of the cf-cli for acceptance tests
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8378da138..a9e55d41a 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -287,20 +287,13 @@ properties:
router.route_services_strict_signature_validation:
description: "Enforce strict validation of a route service signature"
default: false
- router.max_header_kb:
- description: |
- Deprecated, use router.max_request_header_kb instead which is equivalent to this option.
- default: 1024 # 1Mb
router.max_request_header_kb:
description: |
This value controls the maximum number of bytes (in KB) the gorouter will read
parsing the request header's keys and values, including the request
line. It does not limit the size of the request body. Requests with
larger headers will result in a 431 status code. Must be between 1 and 1024kb.
- Note: This value takes precedence over router.max_header_kb but has no default to not break
- existing setups. If you previously configured router.max_header_kb it is recommended to
- switch to this property instead.
- example: 1024 # 1Mb
+ default: 1024 # 1Mb
router.max_response_header_kb:
description: |
This value controls the maximum number of bytes (in KB) the gorouter will read
@@ -352,13 +345,6 @@ properties:
stderr logs.
Available fields are: backend_time, dial_time, dns_time, failed_attempts, failed_attempts_time, local_address, tls_time
default: []
- router.logging.format.timestamp:
- description: |
- Format for timestamp in component logs. Valid values are 'rfc3339', 'deprecated', and 'unix-epoch'."
- 'rfc3339' is the recommended format. It will result in all timestamps controlled by gorouter to be in RFC3339 format, which is human readable. This includes stdout, pre-start, and post-start logs. This does not include stderr logs from golang libraries.
- 'deprecated' will result in all timestamps being in the format they were before the rfc3339 flag was introduced. This format is different for different logs. We do not recommend using this flag unless you have scripts that expect a particular timestamp format.
- 'unix-epoch' is an old flag that we do not recommend using, but we are keeping for backwards compatibility. It will result in the gorouter logs to be in unix-epoch format. This does not effect pre-start or post-start logs. This does not effect stderr logs from golang libaries.
- default: "rfc3339"
router.enable_proxy:
description: "Enables support for the popular PROXY protocol, allowing downstream load balancers that do not support HTTP to pass along client information."
default: false
diff --git a/jobs/routing-api/spec b/jobs/routing-api/spec
index bea7e6ca1..751eefe2f 100644
--- a/jobs/routing-api/spec
+++ b/jobs/routing-api/spec
@@ -232,6 +232,13 @@ properties:
description: "Local port to listen on with admin endpoint (used for backup/restore locking)"
default: 15897
+ routing_api.bbr.metadata:
+ description: "BBR Metadata"
+ default: |
+ ---
+ restore_should_be_locked_before:
+ - job_name: uaa
+ release: uaa
release_level_backup:
default: false
✨ Built with go 1.24.4
Full Changelog: v0.340.0...v0.341.0
Resources
Contributors
kart2bc
Assets 3
0.340.0
0.340.0
Release Date: June 06, 2025
Changes
- Bumped to golang 1.24.4
- Bumped to jq 1.8.0
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index a88b19ab..8378da13 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -255,6 +255,10 @@ properties:
Maximum number of attempts on failing requests against route service URLs.
The minimum value for this setting is 1. This prevents gorouter from getting blocked by indefinite retries.
default: 3
+ router.route_services.enable_websockets:
+ description: |
+ Enable websocket connections for application routes bound to Route Services.
+ default: true
router.route_services.cert_chain:
description: Certificate chain used for client authentication to TLS-registered route services. In PEM format.
router.route_services.private_key:
✨ Built with go 1.24.4
Full Changelog: v0.339.0...v0.340.0
Resources
0.339.0
0.339.0
Release Date: June 04, 2025
Changes
- feat: RouteAdded and RouteDeleted metrics have been introduced - a3c5487. Thanks @Soha-Albaghdady / @maxmoehl
- feat: websockets are now supported via route services by default and can be disabled via:
router.route_services.enable_websockets: false. #474. Thanks @Dariquest / @maxmoehl - refactor: 100-continue specific proxy has been removed, golang 1.23 handles it correctly - #483. Thanks @geofffranks
- refactor: route registry metrics have been fixed to report correct result #468 and #478. Thanks @maxmoehl / @hoffmaen
- ci: PR validation has been introduced to run linters and unit/integration tests. Trigger PR validation via label
ready-to-run. Thanks @kart2bc - misc: pre-start checks below were merged prior to 0.338.0 via #481. They are kept for reference and were missed during CI migrations
Bosh Job Spec changes:
diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index aa6b764c..234e3db9 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -19,6 +19,7 @@ templates:
haproxy.conf.template.erb: config/haproxy.conf.template
bpm.yml.erb: config/bpm.yml
drain.erb: bin/drain
+ pre-start.erb: bin/pre-start
post-start.erb: bin/post-start
packages:
✨ Built with go 1.24.3
Full Changelog: v0.338.0...v0.339.0
Resources
Contributors
geofffranks, Soha-Albaghdady, and 4 other contributors
Assets 3
0.338.0
0.338.0
Release Date: May 16, 2025
Changes
- Update dependencies
✨ Built with go 1.24.3
Full Changelog: v0.337.0...v0.338.0
Resources
0.337.0
0.337.0
Release Date: May 07, 2025
Changes
- gorouter source code has been inlined directly into this release, and the separate repo has been archived. Thank you so much @maxmoehl!!! 🎉
- Additional request timeout properties have been added to routing-release + gorouter to provide more flexibility with overall request timeouts. Previously
request_timeout_in_secondsapplied to both HTTP/1 and HTTP/2 requests. This limited the ability to guard against slowloris attacks for HTTP/1 requests while also allowing GRPC streams over HTTP/2 to live indefinitely.request_timeout_in_secondsis now used as a default value for the newhttp_1_request_timeout_in_secondsandhttp_2_request_timeout_in_secondsproperties. See the property descriptions below for more information. Thanks @kart2bc! - Dependency updates
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index d373561e..a88b19ab 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -523,6 +523,16 @@ properties:
Requests from router to backend endpoints that are longer than this duration will be canceled and logged as
`backend-request-timeout` errors. If set to 0 this timeout is disabled.
default: 900
+ http_1_request_timeout_in_seconds:
+ description: |
+ The amount of time HTTP/1 requests from the Gorouter to apps are allowed to live before being canceled.
+ Enter value in seconds. Set to -1 to disable timeouts. If set to 0, it inherits the value from request_timeout_in_seconds.
+ default: 0
+ http_2_request_timeout_in_seconds:
+ description: |
+ The amount of time HTTP/2 requests from the Gorouter to apps are allowed to live before being canceled.
+ Enter value in seconds. Set to -1 to disable timeouts. If set to 0, it inherits the value from request_timeout_in_seconds.
+ default: 0
endpoint_dial_timeout_in_seconds:
description: |
Maximum time in seconds for gorouter to establish a TCP connection with a backend. This timeout comes before `tls_handshake_timeout_in_seconds`
✨ Built with go 1.24.2
Full Changelog: v0.336.0...v0.337.0
Resources
Contributors
maxmoehl and kart2bc
Assets 3
0.336.0
0.336.0
Release Date: April 28, 2025
Changes
- haproxy bumped to v2.8.15
- When retrying retriable requests, Gorouter will now refresh the backend pool to detect backends that have been registered after the initial request was made. Thanks @mariash!
✨ Built with go 1.24.2
Full Changelog: v0.335.0...v0.336.0
Resources
Contributors
mariash
Assets 3
0.335.0
0.335.0
Release Date: April 16, 2025
Changes
- feat: introduce gorouter_time metrics - cloudfoundry/gorouter#473 - Thanks @kart2bc
- fix: add OU in client-cert field_map - #464 - Thanks @plowin
- dep: various dependency bumps and golang patch
✨ Built with go 1.24.2
Full Changelog: v0.334.0...v0.335.0
Resources
Contributors
plowin and kart2bc
Assets 3
0.334.0
0.334.0
Release Date: March 31, 2025
Changes
- feat: Introduce switch for envelope v1 metrics - #456 - Thanks @b1tamara and @mike-jc !
- revert fix for race condition now that race condition does not exist - cloudfoundry/gorouter#469
- This change + Go 1.24 changes how 1XX responses are handled. This might affect users:
Transport’s limit on 1xx informational responses received in response to a request has changed. It previously aborted a request and returned an error after receiving more than 5 1xx responses. It now returns an error if the total size of all 1xx responses exceeds the Transport.MaxResponseHeaderBytes configuration setting.
- This change + Go 1.24 changes how 1XX responses are handled. This might affect users:
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 1feb42f7..d373561e 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -76,8 +76,14 @@ properties:
description: "TLS Certificate used for the TLS listener of the LB healthcheck endpoint"
router.status.tls.key:
description: "Private Key used for the TLS listener of the LB healthcheck endpoint"
+ router.enable_envelope_v1_metrics:
+ description: "Enables support for metrics reported via Envelope."
+ default: true
router.prometheus.port:
- description: "Port for the prometheus endpoint."
+ description: "Port for the prometheus endpoint. Automatically enables Prometheus support."
+ router.prometheus.enable_scraper:
+ description: "Activate the Prometheus scraper to collect metrics from the gorouter."
+ default: true
router.prometheus.server_name:
description: "The server name used in the certificate for the metrics endpoint."
router.prometheus.ca_cert:
@@ -89,6 +95,18 @@ properties:
router.prometheus.key:
description: "TLS private key for prometheus server."
default: ""
+ router.prometheus.meters.route_lookup_time_histogram_buckets:
+ description: "Upper limits in nanoseconds of the ranges in which the observed value of route lookup time is expected to fall"
+ default: [10000, 20000, 30000, 40000, 50000, 60000, 70000, 80000, 90000, 100000]
+ router.prometheus.meters.route_registration_latency_histogram_buckets:
+ description: "Upper limits in milliseconds of the ranges in which the observed value of route registration latency is expected to fall"
+ default: [0.1, 0.5, 1, 1.5, 2, 2.5, 3, 3.5, 4]
+ router.prometheus.meters.routing_response_latency_histogram_buckets:
+ description: "Upper limits in milliseconds of the ranges in which the observed value of route response latency is expected to fall"
+ default: [1, 2, 4, 6, 8, 10, 20, 40, 50, 100, 500, 1000]
+ router.prometheus.meters.http_latency_histogram_buckets:
+ description: "Upper limits in seconds of the ranges in which the observed value of the latency of http requests from gorouter and back"
+ default: [0.1, 0.2, 0.4, 0.8, 1.6, 3.2, 6.4, 12.8, 25.6]
router.requested_route_registration_interval_in_seconds:
description: |
On startup, the router will delay listening for requests by this duration to increase likelihood that it has a complete routing table before serving requests.
✨ Built with go 1.24.1
Full Changelog: v0.333.0...v0.334.0
Resources
Contributors
mike-jc and b1tamara